Fix hedgedoc oauth, update flake, update sops

2023-04-26 23:40:18 +02:00
parent 7d9a648030
commit 9e64e2dd1f
6 changed files with 52 additions and 55 deletions
--- a/hosts/voyager/configuration.nix
+++ b/hosts/voyager/configuration.nix
@@ -46,14 +46,13 @@
  };

  sops.defaultSopsFile = ../../secrets/voyager/voyager.yaml;
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";

  environment.variables = { EDITOR = "vim"; };
  environment.systemPackages = with pkgs; [
    ((vim_configurable.override {  }).customize{
     name = "vim";
     vimrcConfig.packages.myplugins = with pkgs.vimPlugins; {
-     start = [ vim-nix vim-lastplace ];
+     start = [ vim-nix vim-lastplace vim-commentary ];
     opt = [];
     };
     vimrcConfig.customRC = ''
--- a/hosts/voyager/services/hedgedoc.nix
+++ b/hosts/voyager/services/hedgedoc.nix
@@ -2,8 +2,9 @@
 let
    cfg = config.services.hedgedoc.settings;
    domain = "md.feal.no";
-    port = 3000;
+    port = 3300;
    host = "0.0.0.0";
+    authServerUrl = config.services.kanidm.serverSettings.origin;
 in {
    # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
    sops.secrets."hedgedoc/env" = {
@@ -12,27 +13,27 @@ in {

    services.hedgedoc = {
        enable = true;
-
+        environmentFile = config.sops.secrets."hedgedoc/env".path;
        settings = {
            inherit domain port host;
            protocolUseSSL = true;
+            sessionSecret = "$CMD_SESSION_SECRET";
+
+            allowFreeURL = true;
            db = {
                dialect = "sqlite";
                storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
            };
-            environmentFile = config.sops.secrets."hedgedoc/env".path;

            email = false;
-            oauth2 = let
-              authServerUrl = config.services.kanidm.serverSettings.origin;
-            in {
+            oauth2 = {
              baseURL = "${authServerUrl}/oauth2";
              tokenURL = "${authServerUrl}/oauth2/token";
              authorizationURL = "${authServerUrl}/ui/oauth2";
              userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";

              clientID = "hedgedoc";
-              clientSecret = "";
+              clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
              scope = "openid email profile";
              userProfileUsernameAttr = "name";
              userProfileEmailAttr = "email";
@@ -43,14 +44,11 @@ in {

        };
    };
-    services.nginx.virtualHosts.${domain} = {
-      locations."/" = {
-        proxyPass = "http://${host}:${toString port}/";
-      };

-      locations."/socket.io/" = {
-        proxyPass = "http://${host}:${toString port}/";
-        proxyWebsockets = true;
-      };
+    systemd.services.hedgedoc.serviceConfig = {
+      WorkingDirectory = lib.mkForce "/var/lib/hedgedoc";
+      StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
    };
+
+    networking.firewall.allowedTCPPorts = [ port ];
 }